How Microsoft Entra Tenant Governance Uncovers Shadow Tenants and Cuts Risk
#Security

How Microsoft Entra Tenant Governance Uncovers Shadow Tenants and Cuts Risk

Cloud Reporter
4 min read

Microsoft Entra’s new Related Tenants discovery feature gives organizations continuous visibility into hidden Azure AD tenants, enabling rapid quarantine, policy enforcement, and governance. Compared with competing identity platforms, Entra offers tighter integration with Azure billing, Global Secure Access, and native API automation, making it the most pragmatic choice for enterprises seeking to eliminate shadow‑tenant risk.

What changed

Microsoft announced the public preview of Entra Tenant Governance – Related Tenants. A single toggle in the Entra admin center now launches continuous discovery of any Azure AD tenant that interacts with your environment through B2B collaboration, multitenant app registrations, shared billing, or sign‑in activity. The service builds an automatically refreshed inventory, surfaces the signals that created each link, and lets security teams quarantine or onboard each tenant with a few clicks or via API.

Key capabilities include:

  • One‑click enablement – no extra agents or network changes required.
  • Signal‑rich relationship view – shows B2B guest invitations, appOwnerOrganizationId matches, and shared subscription IDs.
  • Built‑in quarantine workflow – block sign‑ins, revoke service‑principal permissions, and apply Tenant Restrictions v2 policies instantly.
  • Continuous refresh – new tenants appear in the inventory as soon as a cross‑tenant event is logged.
  • Extensible telemetry – optional enrichment from Azure billing, Entra sign‑in logs, Microsoft 365 audit logs, and Azure Activity logs.

Featured image

Provider comparison

Feature Microsoft Entra (Tenant Governance) Okta Identity Cloud Ping Identity
Native Azure AD discovery Built‑in, uses Azure AD graph & billing data Requires separate Okta‑Azure sync tool No native tenant discovery; relies on custom SCIM scripts
One‑click enable Yes, via Entra admin center No, needs custom provisioning pipelines No, needs API integration
Quarantine action set Sign‑in block, service‑principal revocation, Tenant Restrictions v2 Session revocation only, no tenant‑wide block Limited to policy enforcement on apps, not tenant isolation
API coverage Full REST API for discovery, relationship metadata, and quarantine Okta API covers users/apps but not cross‑tenant metadata Ping API focuses on auth policies, not tenant inventory
Pricing model Included in Entra ID P2 (or as preview add‑on) Separate “Advanced Server Access” add‑on Add‑on modules priced per‑auth transaction
Integration depth Direct tie‑in to Azure subscription billing, Global Secure Access, Microsoft 365 compliance Integrates via Azure AD connector, but no billing visibility Requires Azure AD connector for any cross‑tenant data

Why Entra leads – The discovery engine runs on Microsoft’s identity graph, meaning every cross‑tenant token, invitation, or subscription relationship is already recorded. Competitors must either pull logs from Azure AD (adding latency) or rely on manual inventory, which leaves gaps. Entra also ships quarantine as a first‑class operation; Okta and Ping can block user sessions but cannot isolate an entire tenant without custom scripting.

Business impact

  1. Reduced attack surface – By surfacing hidden tenants, organizations eliminate the “unknown” that attackers exploit for lateral movement. In the Contoso example, five out of fourteen discovered tenants were never onboarded, and one contained a high‑risk multitenant app. Quarantining that tenant cut off a potential privilege‑escalation path within hours.
  2. Faster incident response – The built‑in workflow lets a security analyst block sign‑ins and revoke service‑principal permissions from the same UI used for daily governance. No separate ticketing or scripting is required, shrinking mean‑time‑to‑contain (MTTC) from days to minutes.
  3. Governance cost savings – Continuous discovery replaces periodic manual audits, which often cost thousands of engineering hours per year. The automated inventory also feeds directly into compliance reporting for Azure Policy, ISO 27001, and SOC 2 audits.
  4. Strategic cloud‑M&A integration – Acquired businesses frequently spin up separate tenants. Entra’s Related Tenants view surfaces those assets immediately, allowing the integration team to decide whether to merge, isolate, or retire them, thereby avoiding duplicate licensing and data‑sprawl.
  5. Future‑proofing – The preview notes that the legacy add‑on tenant creation flow will retire on 15 August 2026. Early adoption ensures that new subsidiaries are created through the secure flow, preventing future shadow‑tenant creation.

Next steps for a security‑focused organization

  1. Enable discovery in the Entra admin center (Tenant governance → Related tenants).
  2. Pull the inventory via the Tenant Governance API and feed it into your SIEM.
  3. Define a quarantine policy that automatically blocks any newly discovered tenant lacking a “trusted” tag.
  4. Align the quarantine workflow with your change‑management process – run a short “scream test” (limited sign‑in attempts) before fully isolating a tenant.
  5. Incorporate the related‑tenant list into your Azure Policy definitions to enforce least‑privilege app consent across the entire footprint.

By treating tenant discovery as a core identity control rather than an after‑thought audit, enterprises can turn a hidden risk into a manageable asset. Entra’s approach gives you the data, the action set, and the integration depth needed to keep shadow tenants from becoming security incidents.

Additional resources

#Microsoft Entra#Tenant Governance#Shadow Tenants#Azure AD#Identity Management

Comments

Loading comments...
Back to Home